Intelligent multi-level safe autonomous flight ecosystem

ABSTRACT

A communications ecosystem and related methods of operation include an ecosystem safety level (ESL), a plurality of vehicles or systems, each vehicle or system having an individual safety level (ISL), a control system operable to determine whether the ISL for each vehicle or system meets or exceeds the ESL, and one or more communications links between any first vehicle or system having a first ISL that does not meet or exceed the ESL and a second vehicle or system with a second ISL that does meet or exceed the ESL such that the first vehicle or system operates at the second ISL.

BACKGROUND

The following relates generally to unmanned aircraft vehicles (UAVs) andrelated systems (UASs) for managing unmanned vehicles, and securityconsiderations related to same.

The technology platforms available for unmanned solutions are quicklybecoming mature and more reliable. Artificial Intelligence and MachineLearning (AI/ML) algorithms are quickly becoming “smarter” and morereliable. With the increased acceptance of unmanned platforms and asurge in the capabilities and accuracy of data analytics in thecommercial marketplace as well as significant achievements in AI/MLperformance in robotics, there is expected to be a desire to move theAI/ML capabilities to unmanned aircraft systems (UASs). One problem withthe introduction of AI/ML in UASs is that airworthiness certification isrequired for the unmanned vehicle to fly in the National Airspace System(NAS). Even when designated for use in the battlefield, the U.S.military requires an airworthiness certification before the UAS can befielded. There are at least two main reasons airworthiness certificationis a problem for UASs commanded by AI/ML algorithms. First, thecertified software needs to behave in a deterministic manner, but AI/MLoutputs are inherently not deterministic. Second, even if there was away to convince certification authorities to allow autonomous flightguided by non-deterministic software, the certification requirementswould likely be cost prohibitive. In addition to being cost-prohibitiveto certify, the smaller UAS platforms would likely not be viable toproduce and use because of the redundant equipment requirements (i.e.,the UAS would be too heavy to fly).

Small UAS platforms may provide the most utility to commercial andmilitary markets. In commercial applications, small UASs can becustomized to individual task, for example, for package delivery,security/surveillance, mobile communication relays, and so on. Inmilitary applications, small UASs can be customized to support missionsfor target detection, target identification, electronic warfare, decoyoperations, and self-sacrifice (anti-aircraft weapons, helicopter mines,etc.).

In commercial markets, AI/ML and autonomous operations continue to beaggressively tested (e.g., self-driving cars and delivery drones).Existing UAS platforms without AI/ML algorithms are already in use, butthose applications are mainly GPS navigation applications that have anextremely limited scope or are used in areas of the world that do nothave airspace restrictions. In military markets, the U.S. military iscurrently executing research projects involving AI/ML algorithms formanned/unmanned teaming (MUM-T) for the future battlefield. There is anincreasing need in UAS platforms that are commanded by AI/ML algorithms,but the problem of how to certify a UAS with non-deterministic softwarehas not been solved.

SUMMARY

One aspect of the present disclosure relates to an IntelligentMulti-level Safe Autonomous Flight Ecosystem (IMSAFE) architecture. TheIMSAFE architecture may employ a concept of safety levels. The safetylevels may be defined as, for example, levels 1-5, with 1 being theleast safe and 5 being the most safe. The safety level definitions areintended to be application specific and scalable to any number oflevels. A safety level can be either a single number that is anaggregate of the required functional capabilities needed, or there canbe multiple safety levels, one for each functional capability. Forexample, one scenario may be to define a safety level of 4 to mean theinclusion navigation capability and vehicle and terrain avoidancecapability. A second scenario may be to define a set of dissimilarsafety levels like a navigation capability with a safety level of 3 andvehicle and terrain avoidance capability of 5. When safety levels arediscussed, no inferences should be made that constrain the definition ofthe level to be an aggregate safety level or a set of various safetylevels.

The IMSAFE architecture may employ different types of safety levels. Forexample, there may be an Ecosystem Safety Level (ESL), and each memberof the ecosystem may have an Individual Safety Level (ISL). The ESLidentifies the safety level(s) required for safe participation in theecosystem (i.e., an operational area). The ISL identifies the safetylevel(s) related to an individual member's capabilities. If anindividual member (M1) has a defined ISL equal to or greater than therequired ESL, M1 can operate safely in the ecosystem. If not and M1 cancommunicate, directly or indirectly, with member 2 (M2) and M1 and M2can collaborate to meet or exceed the required ESL to allow M1 tooperate safely in the ecosystem. If the collaboration between M1 and M2occurs, M1's ISL is said to be promoted. If a member with a promoted ISLloses the ability to collaborate with another member that enabledpromotion, the member's promoted ISL will be demoted. A member's ISL canalso be demoted due to external or internal factors resulting in thedegradation of its functional capabilities.

When implementing IMSAFE, the ecosystem needs to be defined. Thedefinition of the ecosystem is intended to be scalable and may depend onspecific operational environments or scenarios or it may mirror anexisting environment such as the National Airspace System (NAS). Anexample ecosystem may consist of multiple vehicles, equipment, humanoperators, and other autonomous agents operating in the samegeographical area working together to accomplish a common mission, goal,or task. An ecosystem of human participants collaborating withautonomous software for decision making and mission or task assignmentis referred to as Manned-Unmanned Team (MUM-T). ESL(s) and ISL(s) fordifferent operational scenarios may be defined differently even thoughthe same ecosystem members are included. For example, the ESL(s) andISL(s) may differ based on, but not limited to, geographic region, timeof day, atmospheric conditions, or military versus commercialoperations. Additionally, IMSAFE implementation may include multipleecosystems with dissimilar ESLs adjacent to one-another with somemembers being members in one or more of the adjacent ecosystems.

Systems and method for secure communications are disclosed. One aspectof the present disclosure relates to a method for secure communicationswithin a defined communications ecosystem, the ecosystem having anecosystem safety level (ESL), a plurality of vehicles or systemsexisting in the ecosystem. The method includes determining whether afirst individual safety level (ISL) for a first vehicle or system in theecosystem is equal to or greater than the ESL. If the first ISL does notmeet or exceed the ESL, the method further includes providing acommunication link between the first vehicle or system and a secondvehicle or system of the ecosystem. The second vehicle or system has asecond ISL, and the second ISL is equal to or greater than the ESL. Themethod further includes operating the first vehicle or system in a safeoperating mode with the first ISL being at least equal to the ESLbecause of the communication link between the first vehicle or systemand the second vehicle or system.

The method may further include at least periodically recalculating thefirst ISL, the second ISL, and the ESL, and modifying the communicationlink if the first ISL becomes equal to or greater than the ESL, or thesecond ISL becomes less than the ESL. The ESL may be based on at leastone of operating conditions, needs, capabilities, terrain, restrictions,and availability. The method may include automatically disconnecting thecommunication link if the ESL is equal to or less than the first ISL.The method may include invoking a predetermined action for the firstvehicle or system if the first ISL does not meet or exceed the ESL andthe communication link is not created. The method may includedetermining the first ISL using at least one of health status,authority, capability, and environment. A health status may include atleast one of communication signal strength, built-in-test results, andreal-time vehicle performance. Authority may include at least one ofteam leader status, team member status, lost communications status,Capability may include at least one of promotion/demotion enabled,maneuverability, sensor/payload/weapons, and energy/fuel requirementsand reserves. Environment may include at least one of altitude, climateor terrain, and atmospheric conditions/weather.

Another aspect of the present disclosure relates to a communicationsecosystem that includes an ecosystem safety level (ESL), a plurality ofvehicles or systems, each vehicle or system having an individual safetylevel (ISL), a control system operable to determine whether the ISL foreach vehicle or system meets or exceeds the ESL, and one or morecommunications links between any first vehicle or system having a firstISL that does not meet or exceed the ESL and a second vehicle or systemwith a second ISL that does meet or exceed the ESL such that the firstvehicle or system operates at the second ISL.

The ecosystem may include a human override capability that controls theone or more communications links. The ecosystem may further include acontroller configured to determine when to create or eliminate the oneor more communications links based on a real-time status of the ESL andthe first and second ISLs. The ESL and the first and second ISLs may beindependently variable, and the one or more communications links may beautomatically controlled based on real-time comparisons of the ESL withthe first and second ISLs. The first vehicle or system may operate basedon one or more predetermined conditions when disconnected from thesecond vehicle or system.

A further aspect of the present disclosure relates to a communicationssystem that includes a first ecosystem having a first ecosystem safetylevel (ESL), a second ecosystem having a second ESL, a first vehicle orsystem having a first individual safety level (ISL), the first ISL beingless than the first ESL, a second vehicle or system having a second ISL,the second ISL being equal to or greater than the first ESL, and a firstcommunications link between the first vehicle or system and the secondvehicle or system that promotes the first ISL to be equal to the secondISL to provide safe operation of the first vehicle or system in thefirst ecosystem.

The system may include a third vehicle or system having a third ISL,wherein the third ISL is equal to or greater than the second ESL, and asecond communications link between the first vehicle or system and thethird vehicle or system that promotes the first ISL to be equal to thethird ISL to provide safe operation of the first vehicle or system inthe second ecosystem. The first communications link may be disconnectedif the first ISL increases to be equal to or greater than the first ESLor the second ISL drops below the first ESL. The second communicationslink may be disconnected if the first ISL increases to be equal to orgreater than the second ESL or the third ISL drops below the second ESL.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example of a communications ecosystem inaccordance with aspects of the present disclosure, wherein the diagramrepresents a generalization of the types of entities in the ecosystem.

FIG. 2 illustrates another example communications ecosystem inaccordance with aspects of the present disclosure, wherein the ecosystemmay be an example of a viable commercial domain.

FIG. 3 illustrates another example of a communications ecosystem inaccordance with aspects of the present disclosure, such as an expansionof the ecosystem to be situated among larger governance that crossesinto, for example, both civil and military domains.

FIG. 4 illustrates an example communications platform in accordance withaspects of the present disclosure, where the ecosystem introducesfurther security aspects.

FIG. 5 is a schematic representation of safety levels of an examplecommunications ecosystem in accordance with aspects of the presentdisclosure, and provides context for the potential magnitude ofdifferences between defined safety levels using representative picturesof air vehicles familiar to the user community.

FIGS. 6 and 7 illustrate another example of a communications ecosystemin accordance with aspects of the present disclosure, and illustrate anetwork and data flow, respectively, of two air vehicles and a groundsystem that may allow for a vehicle with a low safety level to bepromoted to a higher safety level.

FIGS. 8 and 9 illustrate another example of a communications ecosystemin accordance with aspects of the present disclosure, and illustrate anetwork and data flow, respectively, of two air vehicles and a groundsystem that may allow for a vehicle with a low safety level to bepromoted to a higher safety level and then demoted to a lower safetylevel because of a network disruption.

FIGS. 10 and 11 illustrate another example of a communications ecosystemin accordance with aspects of the present disclosure, and illustrate anetwork and data flow, respectively, of two air vehicles and a groundvehicle that may allow for a ground vehicle with a low safety level tobe promoted to a higher safety level.

FIG. 12 shows a diagram of a system including a device that provides forsecure communications within a communications ecosystem in accordancewith aspects of the present disclosure.

FIG. 13 shows a flow chart illustrating an example method in accordancewith aspects of the present disclosure.

DETAILED DESCRIPTION

The present disclosure relates to an Intelligent Multi-level SafeAutonomous Flight Ecosystem (IMSAFE) architecture, such as a softwaresystem, which may be part of or define a communications ecosystem. TheIMSAFE architecture may enable collaboration of distributed systems(e.g., an ecosystem) to work together to ensure safety while ArtificialIntelligence/Machine Learning (AI/ML) algorithms are operating.Multi-level Safety provided by IMSAFE architecture may include dynamicpromotion and demotion of safety levels. The safety levels may beassigned to individual functionality (e.g., the system/platform can havemultiple functions and can provide dissimilar safety levels). The IMSAFEarchitecture may provide resource sharing of safety-criticalfunctionality and data with trusted sources. The IMSAFE architecture mayprovide reduction development, testing, and approval costs by leveragingexisting systems/platforms with previously approved (i.e., “trusted”)safety-critical functionality, communication interfaces, and/or dataprocessing algorithms. The IMSAFE architecture may also provide reducedcost barrier to market entry for innovative, relatively low-costautonomous systems/platforms that benefit society since ecosystem mayensure safety rather than requiring each individual system/platform toaddress all required aspects of safety.

An ecosystem may be or include a defined, holistic environment withinwhich participating vehicles and/or platforms may operate. Individualfunctionality available in the ecosystem may be assigned an EcosystemSafety Level (ESL) based on many factors such as operating conditions,needs, capabilities, terrain, restrictions, availability, and so on. Itis possible that the same vehicles/platforms can have different ESLvalues in different Ecosystems (e.g., controlled airspace vs.non-controlled airspace). Similarly, the vehicle/platform may have anIndividual Safety Level (ISL) assigned to each capability and/orfunctionality. The ISL values are scored based on vehicle/platformfactors such as capability, performance, types of autonomy algorithmsrunning, the existence of previously approved/certified software,Technology Readiness Level (TRL), and so on. At a minimum, the ISLtypically is equal to the ESL for the vehicle/platform to participate inthe defined Ecosystem. If the ISL does not meet or exceed ESL,capabilities and functionalities in other vehicles/platforms in theEcosystem can be used to bring the ISL up to the required ESL. IfISL>ESL, the vehicle/platform is said to be operating at ISL=ESL (i.e.,capped). If operating at a capped ISL=ESL and ESL is promoted, thevehicle/platform is still safe providing ISL=ESL can be achieved (i.e.,capped or uncapped).

The ISL and ESL may be continuously recalculated during operation withinthe Ecosystem. If ISL does not meet or exceed ESL during operation, apredetermined course of action (i.e., a playbook) for thevehicle/platform may be invoked. ISL and ESL can be promoted or demotedduring operation. In a given Ecosystem, ISL typically cannot exceed therequired ESL. If ISL is greater than required ESL for any participant inthe Ecosystem, the predetermined course of action will take that intoaccount whenever ISL=ESL.

The present disclosure includes a number of system-level featuresincluding human-in-the-loop/human-on-the-loop functionality thatprovides a path for a single operator supervised in full multiple mannedand unmanned platforms. A distributed autonomy (“a la carte” autonomy)and protection may include control, monitoring/feedback, tasking,approval “voting”, and vehicle and sensor control based on the fusion ofsafety-critical data from other platforms and certified systems.Playbook reversion may include reverting to a preloaded, deterministic“playbook” when experiencing, for example, lost communications, GPS isdenied, or when a critical system in the ecosystem is inoperative orexperiences a degradation of performance. A multilevel autonomousoperation may include a layered approach of various levels that enable,restrict or prevent use of AI/ML algorithms.

Platform-level highlights include, for example, a promotion/demotion ofauthorization levels, wherein platform constraints are removed or addeddepending on availability of airspace, communications, navigation, UAS,and installed sensor help status. Safe Airspace Volume (SAV) may ensureUAS flightpath remains within a defined airspace set of restrictions. Ascheduled autonomy may include enforcement of temporal constraints anddeterministic sequencing of AI/ML algorithms. A partitioned or redundantdata bus may include high-TRL and safety-critical data that is eitherphysically separated or its integrity is independently validated.

System integrity aspects of the present disclosure may includecybersecurity, wherein outermost layer of architecture protects againstunauthorized access. Functional partitions may include boundariesbetween high-confidence and low TRL AI/ML algorithms and high TRL and/orcertified software.

In one scenario, airworthiness approval is available for a DO-178C basedSafe Airspace Volume (SAV)/Keep-in-algorithm (MA) concept to achieveLevel of Interoperability (LOI) 4 control of a UAS. The concept involvesthe creation of a three dimensional volume (the SAV) that accounted forknown terrain and obstacle clearance as well as known altitude andairspace restrictions. The SAV may include a safety boundary to ensurethe UAS can maneuver within its flight envelope near the edge of the SAVwhile remaining safely inside. When calculating a flight plan (e.g.,series of waypoints) for the UAS, waypoints may be fed to the MA toverify the calculated flight plan (or task) can be completed whilekeeping the UAS inside the SAV. The SAV/KIA may be useful since LOI 4operations allowed the user to control the altitude and airspeed of theUAS, but the user may not have appropriate qualifications to fly the UASunsupervised.

For current UAS operations, the ground control station (GCS) may have aqualified pilot acting as pilot in command of the UAS. A user, sometimesreferred to as the supervised user, may coordinate via, for example,radio to the GCS to initiate a request to take control of the UAS.Assuming the supervised user's control unit is included in a preloadedschedule on the UAS and is within their scheduled time window, thesupervised user would be granted control of the aircraft and its payloadby the supervising controller (i.e., in the GCS). This may requirepre-planning, coordination, and special equipment for the superviseduser. The supervised user scenario may work, for example, for a soldieron the ground, but when a qualified air crew needs to take control ofthe UAS to laser designate a target and/or fire weapon, the SAV/KIA maybe restrictive for the manned/unmanned teaming (MUM-T) environment.Modifications to software supporting the Army's Interoperability Profile(TOP) specifications may be required to support MUM-T. Since qualifiedand non-qualified users can typically use the radio and negotiate usageof the UAS, the next step in the evolution of the architecture may bethe remote supervised user (RSU). The RSU allows for the supervised userto sublease their level of control of the UAS without requiring thedevice gaining control to be in an authorization schedule or even on thesame radio network as the GCS. In some scenarios, the GCS operator,which may be referred to as the supervised controller, is able to takeback control even though it was sublet. This evolutionary step allowed,for example, individual users with computers connected to the Army'sSecret Internet Protocol Router Network (SIPRNet) to command and controlthe UAS.

Further applications for MUM-T operations are possible with moreemphasis on allowing AI/ML software to make autonomous decisions inanti-access/area denial (A2AD) during peer on peer conflicts whilecoordinating mission plans and status with the future fleet consistingof, for example, a combination of manned and unmanned attack helicoptersand air launched effects (ALEs). The platform software may includeautonomous software running on the UAS, ALEs, and the Future VerticalLift (FVL) aircraft. All of these platforms may work together toidentify and attack threats and proceed to the engagement area with anintent of reducing workload, for example, for an Air Weapons Team Lead(AWT-L).

The platform autonomy may perform automatic target recognition,objective/task-based assignments, dynamic contingency planning based onvehicle and communication health, and so on while maintaining safeautonomous flight. This new environment may include the autonomousagents on the FVL, ALEs, and UASs to communicate and coordinate witheach other and use AI/ML software plan and execute tasks/objectives withand without human involvement. The solution may be architected so it isairworthy, and there may be a constraint that ALEs are expendable, lowcost air vehicles that contain different payload configurations. Sincethe ALEs typically fly low to the ground (i.e., maybe even in a terrainavoidance mode), the ALEs may be part of the active battlefield (i.e.,they do not just fly around at high altitudes taking video), ALEs andother platforms may require AI/ML planning agents, and all autonomousplatforms may be flying in close proximity. As such, the overhead andstatic nature of the SAV/KIA and preloaded authorization schedules maynot be sufficient to support the ALE in the future battlefield.

The present disclosure may relate to software architecture that includesmultiple safety levels that allow (or prohibit) autonomous flight basedon capabilities, air vehicle status/health, location, and weaponsrelease authorization. Further, the functionality required to achieveairworthiness certification may be distributed between platforms(including ground platforms) to allow for safe, autonomous flight. Forexample, a non-deterministic ALE may be configured to calculate a flightplan and a UAS with certified, safety-critical software may collaboratewith a ground station with safety-critical software that can interveneif the calculated route is not acceptable. Likewise, decision makingcapabilities and the assignment of safety levels may be distributedthroughout an ALE team that is on a mission which is out of contact withthe supervising controller that launched the ALEs or in a GPS deniedarea to provide the necessary redundancy for safe, autonomous flight.This new architecture and software may be referred to as the IntelligentMulti-level Safe Autonomous Flight Ecosystem (IMSAFE) architecturementioned above.

In current markets, IMSAFE architecture may address some of thecertification problems with UASs being used for deliveries and forautonomous software being developed for such programs as the Army'sAdvanced Teaming project to demonstrate autonomous behaviors in a MUM-Tenvironment. The problem may be solved at least in part using IMSAFEarchitecture since distributed systems utilize a multi-layered safetyarchitecture that allows the smaller UASs to use AI/ML software and lessexpensive hardware for obstacle detection (e.g., lidars and/or EO/IRcameras) that will enable longer flights at lower altitudes without theneed to specifically certify the AI/ML software on the UAS. At leastsome of the UASs used for deliveries currently rely on known data (e.g.,GPS location and published terrain and obstacle height) and flight pathsthat have to be pre-planned. The reliance on known data restrictsdelivery companies to operate in a static environment (e.g., no otheraircraft, no unplanned terrain or obstacles). Although GPS will enableplanned flight routes that inherently de-conflict other air traffic, therestriction of a static environment means UASs typically cannot be usedover a larger geographical area. This is because new obstacles (e.g.,houses, radio towers, buildings, etc.) can “pop up” at any time. Thestatic environment restriction means the operational area for the UAShas to be well known and unlikely to change over time or else the UAShas to fly high over the terrain while in the enroute phase.

In the commercial market, the higher flight routes may cause conflictsin the NAS that require relatively expensive avionics and groundequipment to resolve. In the military market, the need to fly higher mayexceed the ALEs fight performance and may cause errors. The higherflight may also jeopardize war fighters since the UASs may be easier tospot and either give away a war fighter's position or cause an assetthat provides critical mission data to be lost.

There are several examples of the limitations for UAS operations becauseof the certification problem. In October of 2019, the FAA approved alarge parcel delivery company to use drones to deliver medical packagesto locations on a large medical campus. This illustrates the constraintsfor the UAS in the NAS. An example of operations only possible in alarger, static geographical area is illustrated with a company that usesa UAS to deliver vital medical supplies to remote villages in othercountries where manned vehicle travel is not possible or practical fordelivery of life saving supplies. The operational areas for this companyhave sparse populations and exist in areas where it is unlikely that abuilding or radio tower will “pop up” and the UAS can fly high overterrain without conflicting with other air traffic. For companies suchas these to deliver in large geographical areas within the U.S., theUASs will need to be able to fly a known route while detecting andmaneuvering around unknown obstacles and make contingency decisions.This creates a problem because cost constraints, weight, and powertechnologies exist to do this, but the AI/ML algorithms and equipmentneeded are not certifiable. With IMSAFE architecture, companies wantingto fly UASs in the NAS can make a low cost, small UAS platform a viablesolution. The IMSAFE architecture provides a stable platform forcertification activities that can be leveraged for an unrestricted UASfleet.

Airworthiness certification is currently granted using a specific systemof software components. Although the software components that implementsafe, autonomous flight execution can be distributed, all components inthe distributed system may be installed on the air vehicle. With IMSAFEarchitecture, the functionality required to provide safe, autonomousflight execution can be distributed to different systems includingsystems on other air vehicle platforms and systems on ground platforms.These systems may include systems with existing airworthy software thusreducing the overall cost of the system and keeping the UAS cost down.Leveraging distributed systems containing existing certified softwareand architecting multiple safety-levels, the UAS can usenon-deterministic AI/ML software to perform its required task whilemaintaining safe, autonomous flight execution. Since the architecture ofIMSAFE architecture leverages existing RSU technology, there may be aninherent safety feature since control of the UAS being commanded bynon-deterministic AI/ML software can always be taken back by asupervisor (e.g., human or AI/ML) if errant operation is planned orobserved.

The IMSAFE architecture can also support multiple, non-redundant datasources. IMSAFE architecture utilizes, for example, SNC TRAX® todistribute J-series, K-series, or CoT data in the multi-level safetyarchitecture to eliminate reliance on one particular interface positionreporting, tasking, point of interest identification, and proliferationof sensor data. Using multiple data formats and non-redundant data fromvarious sources with, for example, SNC TRAX® enables IMSAFE architectureto obtain the necessary data to allow “dumb” UAS platforms with AI/MLsoftware to perform safe, autonomous flight execution. To more safelyaccommodate the dynamic environment for the enroute phase in commercialapplications or any flight phase in military applications, the IMSAFEarchitecture may include the ability for the dynamic promotion ordemotion of safety levels. This allows the UAS platform software toutilize trusted data from distributed sources along with localparametric data such as UAS health (e.g., fuel, power, built in testfailures, etc.), navigational health (e.g., GPS signal strength), andweapons stores to better ensure continued safe, autonomous flightexecution.

The safety level can be determined and/or demoted/promoted throughcollaboration voting in distributed platforms, which may or may not beall air platforms. An integral part of the multi-level safetyarchitecture and its safety level promotion/demotion capabilities may bethe ability to collect position data from disparate networks and “dumb”UASs for safety level demotion/promotion and, if necessary,authorizations for non-flight related safe operations that are prevalentin the MUM-T scenario (i.e., thus making it safe MUM-T operations).

An example of an implementation of IMSAFE architecture with safety leveldemotion/promotion is the use of a simple cursor on target (CoT) messagefor platform position and mesh radio connection. If a manned FutureVertical Lift (FVL) and the Air Launched Effects (ALEs) it launches arewithin close proximity of each other but out of communication with eachother (i.e., the ALEs are within communication proximity of each other,but not all ALEs are within communication proximity of the FVL), the“dumb” ALE can output its position and give status on its AI/ML computedmission/task that is relayed through another member of the ALE team tothe certified software in the FVL where deterministic decisions can bemade. For example, in a non-flight safety example, a weapons enabled UASin a MUM-T scenario in which the UAS loses communications with asupervising controller or its control is gained by a supervised user whois not trained for weapons release can have its safety level demoted toa lower safety level until communication is regained or the superviseduser is a different user (or autonomous agent) qualified to releaseweapons or use the laser designator.

These MUM-T scenarios enabled by the IMSAFE architecture are uniquesince they use a multi-level safety approach that allows for distributedsoftware components with existing airworthiness certifications tocollaborate and allow AI/ML to control ALEs or other UAS platforms withnon-deterministic software initiating the command and control. Existingsoftware architectures employ a “traditional” single layered safetyapproach with onboard redundancy required. The IMSAFE architecture mayenable distributed, non-redundant systems to collaborate and create aflight environment where uncertified, non-deterministic AI/ML softwarecan command and control the UAS while still maintaining a safe,autonomous flight execution.

FIG. 1 illustrates a block diagram illustrating one example of acommunications ecosystem 100 in which the present systems and methodsmay be implemented. For example, the communications ecosystem may be anexample of general communication and computing hardware, regardless ofthe domain (e.g., aerospace domain) the ecosystem is situated in. Insome examples, the systems and methods described herein may be performedon a device (e.g., device 105). As depicted, the ecosystem 100 mayinclude a device 105, a server 110, a network 115, and a database 120.The network 115 may allow the device 105, the server 110, the database120, and other components of the ecosystem 100 to communicate with oneanother.

Examples of the device 105 may include any combination of, for example,mobile devices, computers, communications equipment, airborne or groundvehicles, satellites, or any combination thereof.

Examples of server 110 may include, for example, a data server, a cloudserver, proxy server, mail server, web server, application server,database server, communications server, file server, home server, mobileserver, name server, or any combination thereof.

In some configurations, the device 105 may include a user interface 135,application 140, and security manager 145. Although the components ofthe device 105 are depicted as being internal to the device 105, it isunderstood that one or more of the components may be external to thedevice 105 and connect to device 105 through wired or wirelessconnections, or both. Examples of application 140 may include a webbrowser, a software application, a desktop application, a mobileapplication, etc. In some examples, application 140 may be installed onanother component of ecosystem 100, such as one of the device 105-a or105-b, security manager 145, server 110, or database 120. Althoughdevice 105 is illustrated with an exemplary single application 140, insome examples application 140 may represent two or more differentapplications installed on, running on, or associated with device 105.

In some examples, device 105 may communicate with server 110 via network115. Examples of network 115 may include any combination of cloudnetworks, local area networks (LAN), wide area networks (WAN), virtualprivate networks (VPN), wireless networks (using 802.11, for example),cellular networks (using 3G, LTE, or 5G, for example), etc. In someconfigurations, the network 115 may include the Internet. In someexamples, the device 105 may not include security manager 145. Forexample, device 105 may include application 140 that allows device 105to interface with a separate device via security manager 145 beinglocated on another device such as a computing device or server 110 ordatabase 120, or any combination thereof.

In some examples, at least one of device 105, server 110, and database120 may include security manager 145 where at least a portion of thefunctions of security manager 145 are performed separately orconcurrently on device 105, server 110, database 120, or other device ofecosystem 100. In some examples, a user may access the functions ofdevice 105 (directly or through device 105 via security manager 145)from another one of the devices 105-a, 105-b, or server 110, or database120. In some examples, devices 105 may include a mobile application thatinterfaces with one or more functions of device 105, security manager145, or server 110, or database 120.

In some examples, server 110 may be coupled to database 120. Database120 may be internal or external to the server 110. In one example,device 105 may be coupled to database 120. In some examples, database120 may be internally or externally connected directly to device 105.Additionally or alternatively, database 120 may be internally orexternally connected directly to device 105 or one or more networkdevices such as a gateway, switch, router, intrusion detection system,etc.

FIG. 2 illustrates an ecosystem 200 that may be one example of theecosystem 100, or components thereof, described with reference toFIG. 1. In at least one example, the ecosystem 200 is a situated examplein one possible commercial domain. The ecosystem 200 includes a vehicleor device 205 that may be one example of the device 105 described abovewith reference to FIG. 1. The ecosystem 200 may also include ahuman-in-the-loop 210, a delivery drone 215, a commercial survey drone220. The vehicle 205 may receive tasking communications 225 from thehuman-in-the-loop or human-on-the-loop 210. The vehicle 205 may providetasking/monitoring communications 230-a with the delivery drone and230-b with the commercial survey drone 220.

The ecosystem 200 may be one example of a distributed autonomy systemthat provides task relay, safety monitoring, multi-level autonomousoperations, and distributed data. In at least some examples, thedelivery drone 215 and commercial survey drone 220 may, by themselves,have relatively low levels of security and related securitycertifications. By coupling via the tasking/monitoring 230 with thevehicle 205, the security levels of the delivery drone 215 andcommercial survey drone 220 may be upgraded, at least temporarily, whilea communication link exists with the vehicle 205.

FIG. 3 shows another example ecosystem 300 that may be one example ofthe ecosystem 100, or components thereof, described with reference toFIG. 1. The ecosystem 300 may be an example of application of theinventive ideas disclosed herein to the commercial sector and militaryapplications, and an intersection with governance of airspace ingeneral. The ecosystem 300 includes a plurality of vehicles or devices205-a-d, which may be examples of the devices 105 described above withreference to FIG. 1. The ecosystem 300 may also include a delivery drone215, a weapons release 305, and a plurality of communication links310-a-e provided between the vehicles 205-a-d and/or the delivery drone215.

The ecosystem 300 may be one example of a distributed autonomy system.The system shown in FIG. 3 may provide voting between platforms, such asvarious TRL algorithms, distributed functionality for safe flight, lostcommunications, and command/navigation related to SAV, weapon systems(military), and package drop (commercial).

In the ecosystem 300, any one of the vehicles 205-a-d and a deliverydrone 215 may have a relatively low level of security or securitycertification. By providing communication link 310-a-e and othermeasures, the security level of any one of the vehicles 205-a-d anddelivery drone 215 may be elevated to a higher level of security, suchas the security level of any one of the other vehicles 205-a-d to whicha communication link 310-a-e is available.

In at least some examples, one of the communication links 310-a-e may belost and/or a GPS connection denied for any one of the vehicles 205 a-d.In such circumstances, the ecosystem 300 may revert to a preloaded“playbook” for the system for any one of the vehicles 205-a-d ordelivery drone 215. The preloaded playbook may include, for example, asafe altitude, a safe speed, or a safe route. In a lost communicationsand/or a GPS denied scenario, the autonomy level for the vehicle may bedemoted. Further, there may be continuous attempts to collaborate and/orconnect with other vehicles using, for example, a shared status,synchronized routes, or communications relay whenever the denial or lostcommunications is resolved.

FIG. 4 shows an example platform for use with one or more of the exampleecosystems disclosed herein. The platform of FIG. 4 may progress theidea of the ecosystems disclosed herein being made up of platforms, andplatforms needing safety and security measures that allow a platformwith certified subsystems to host an experimental system in a safe andbounded way. The platform 400 includes AI/ML system capability 405 thatis surrounded by a security fence 410. The platform 400 further includescontrol 415, navigation 420, flight management 425, and health status430. At least some of the control 415, navigation 420, and flightmanagement 425 may be connected with communications links 435-a and435-b that provide communication therebetween. The AI/ML 405 may befiguratively fenced off or protected from the control 415, navigation420, flight management 425, and other aspects of the platform 400.

The platform 400 may be one example of a partitioned autonomy. Thepartitioned autonomy may include, for example, a data bus, functionalpartitions, airspace constraints, timing constraints, a separatefunctionality, and autonomy scheduler. The separate functionality mayinclude, for example, control monitoring/feedback loops, tasking,execution, voting, payload/sensors, and the like.

FIG. 5 shows an example ecosystem 500 that may be one example of theecosystem 100, or components thereof, described with reference toFIG. 1. The ecosystem 500 may schematically show that the platform'ssubsystems each have their own level of safety and the platform canmanage those levels distinctly. The ecosystem 500 includes a schematicrepresentation of different levels of security 1-5. The ecosystem 500shown in FIG. 5 may be an example of a multi-level autonomy diagram thatillustrates and summarizes multiple safety levels. Generally, FIG. 5provides context for the potential magnitude of differences betweendefined safety levels using representative pictures of air vehiclesfamiliar to the user community. FIG. 5 illustrates potential safetyassignments ranging from less mature systems and software at safetylevel 2, to highly mature systems and software at safety level 5 thatcould have existing airworthiness approvals. The diagrams that follow inFIGS. 6-11 may be representative of example use cases related to thepresent disclosure.

The ecosystem 500 includes a plurality of vehicles or devices 205-a-fthat are positioned or operable within one or more of the securitylevels 1-5. The security levels 1-5 may also be referred to as safetylevels 1-5. Different numbers of security levels may included inecosystem 500, such as 2-4 levels or more than 5 levels.

An Individual Safety Level (ISL) may be a safety level for functioningin the individual, autonomous vehicle/platform that is participating ina defined ecosystem. An Ecosystem Safety Level (ESL) may be a safetylevel required for vehicle/platform functionality in the definedecosystem. Safe operation for a given vehicle 205-a-f requires thatISL=ESL. This equation can be met using approximate functionality on anyparticipant in the ecosystem 500. ISL and ESL may be dynamicallycalculated to assess multiple factors. Such calculations may result inpromoting the ISL and/or ESL to a higher security or safety level. Thecalculations may result in demotion of the ISL and/or ESL to a lowerlevel of safety and/or security.

The ISL and ESL may be dynamically assessed factors related to, forexample, health status, authority, capability, and environment, amongothers. The health status may include, for example, communication signalstrength, built-in test results, and real-time vehicle performance.Authority may include, for example, team leader, team member, and lostcommunications. Capability may include, for example, apromotion/demotion enabled, maneuverability, sensors/payloads/weapons,and energy/fuel requirements and reserves. Environment may include, forexample, altitude, desert or flat terrain, mountainous terrain, andatmospheric conditions and/or weather. The assessed factors may includecomponent Technology Readiness Level (TRL) or existing safetycertification. Assessed factors may include, for example, cybersecurityneeds and human-in-the-loop/human-on-the-loop override capabilities.

An example use case scenario is now described with reference to FIGS. 6and 7 and Tables 1 and 2 included below. FIGS. 6 and 7 illustrate anetwork and data flow, respectively, of two air vehicles and a groundsystem that may allow for a vehicle with a low safety level to bepromoted to a higher safety level. The safety level is promoted becausemembers of the ecosystem not in direct contact with each other arecollaborating to provide unique equipment and computational algorithm(s)integral to the ecosystem for autonomous operation, but not native tothe promoted air vehicle.

In this scenario, an example ecosystem 600 is shown in FIG. 6 includinga plurality of vehicle 605-a-d interconnected with active communicationslinks 610-a-c. The ecosystem may be one example of the ecosystem 100, orcomponents thereof, described with reference to FIG. 1.

As shown in Table 1, Vehicle A has a required ecosystem capabilityrelated to route management, terrain following and navigation. TheVehicle A Individual Safety Level (ISL) for route management is 1, forterrain following is 1, and for navigation is 2. Required EcosystemSafety Level (ESL) for route management is 3, for terrain following is3, and for navigation is 4. As a result, ISL=ESL for all requiredfunctionality related to route management, terrain following, andnavigation.

In this scenario, Vehicle B has an ISL of 5 for route managementcapability, which relates to a Safe Airspace Volume (SAV) andKeep-it-safe Algorithm (MA) on board. By providing an activecommunication link 610-a between Vehicles A and B, the ISL routemanagement for Vehicle A is promoted to 3, which is the required ESL forroute management for Vehicle A.

Vehicle C has an ISL of 4 for terrain following capabilities, whichincludes Digital Terrain Elevation Data (DTED) availability. Providingthe active communication link 610-b between Vehicles A and C results inthe ISL for terrain following capability for Vehicle A being promoted to3, which is the required ESL for Vehicle A for terrain following.

Platform D has an ISL of 4 for radar position capabilities fornavigation. Providing the active communication link 610-c betweenVehicle A and Platform D results in the ISL for navigation for Vehicle Abeing promoted to 4, which is the required ESL for navigation forVehicle A.

FIG. 7 shows a dataflow diagram for the scenario explained above withreference to FIG. 6 and Tables 1 and 2. FIG. 7 shows ecosystem 600 withvehicle 605-a-d representing Vehicles A-C and platform D. The dataflowincludes transfer of route data 705 from Vehicle B to Vehicle A, andobjective data 710 transferred from Vehicle A to Vehicle B. Objectiveand route data is transferred from Vehicle A to Vehicle C, and updatedroute data 720 is transferred from Vehicle C to Vehicle A. Positionupdates 725 are transferred from Platform D to Vehicle A.

TABLE 1 Vehicle A Required Individual Ecosystem Safety Level SafetyLevel Required Ecosystem Capability (ISL) (ESL) Vehicle A - RouteManagement 1 3 Vehicle A - Terrain Following 1 3 Vehicle A - Navigation2 4

TABLE 2 Effect on Scenario Vehicle A Vehicle A establishes communicationwith Vehicle B. ISL Route Vehicle B has ISL = 5 Route Managementcapabilities Management (has a safe airspace volume - SAV - and keep-in-promoted to 3 algorithm - KIA - onboard). Vehicle A establishescommunication with Vehicle C. ISL Terrain Vehicle C has ISL = 4 TerrainFollowing capabilities Following (has digital terrain database - DTED -available). promoted to 3 Vehicle A establishes communication withPlatform D. ISL Navigation Platform D has ISL = 4 radar positioncapabilities Promoted to 4 for navigation.

In some scenarios, the Vehicles A-C may be controlled at least in partby a ground station. Different levels of control (i.e., levels ofinteroperability (LOI)) may be used to provide this control. In theselevels, some users can only control the payload of the vehicle (e.g., acamera) and some users can control the payload and change altitude,airspeed, and other aspects of the vehicle to, for example, obtainbetter views. The process of giving control to a user requires passingcontrol during a specific time window. This may be done with a fixedschedule with times and unique participant identifiers preloaded on theair vehicle. When the ground control station operator hands control toone user, that user may be considered a supervised user because theground control station operator will monitor the vehicle and can takeback control from the user at any time with or without notification.

Other scenarios involve Remote Supervised User (RSU) technology. Withthe RSU, the supervised user can sublease her control to some other userthat is not part of the pre-planned schedule. This may permit, forexample, some other software to effectively send payload and aircraftsteering comments because they networked to the “real” supervised user'ssoftware (i.e., the “real” supervised user sends commands on behalf ofthe remote user). In the example of FIGS. 6 and 7, the Vehicles A-C maybe consider being supervised. Further, for example, Vehicle A may beconsidered being bolstered.

A second use case is now shown and described with reference to FIGS. 8and 9 and Tables 3 and 4 shown below. FIGS. 8 and 9 illustrate a networkand data flow, respectively, of two air vehicles and a ground systemthat may allow for a vehicle with a low safety level to be promoted to ahigher safety level and then demoted to a lower safety level because ofa network disruption. The safety level was originally promoted becausemembers of the ecosystem were collaborating to provide unique equipmentand computational algorithm(s) integral to the ecosystem for autonomousoperation, but a loss of communications resulted in the invocation of aplaybook operational scenario resident on the vehicle commensurate withthe reduction in capabilities.

FIG. 8 shows ecosystem 800 that includes vehicles 605-a-d that representVehicles A-C and Platform D. The ecosystem 800 may be one example of theecosystem 100, or components thereof, described with reference toFIG. 1. As shown in Table 3, Vehicle A has route management ISL of 1 andrequired ESL of 5, terrain following capability ISL of 1 and requiredESL of 2, and navigation capability with ISL 2 and required ESL 4.

In this scenario, Vehicle B has an ISL of 5 and an ESL of 5 for routemanagement capability, which may include a Safe Airspace Volume (SAV)and Keep-in-Algorithm (MA) on board. Once a communication link isestablished between Vehicles A and B, the ISL route management forVehicle A is promoted to 5, which is the required ESL for routemanagement for Vehicle A.

Vehicle C has an ISL of 4 and an ESL of 3 related to terrain followingcapabilities, which includes Digital Terrain Elevation Data (DTED)availability. Once Vehicle A establishes the communication link withVehicle C, the ISL for terrain following capability for Vehicle A ispromoted to 2, which is the required ESL for terrain following forVehicle A.

Platform D has an ISL of 4 and an ESL for 4 for radar positioncapabilities for navigation. Once Vehicle A establishes communicationwith Platform D, the ISL navigation for Vehicle A is promoted to 4,which is the required ESL for navigation for Vehicle A.

When Vehicle A loses communication with Vehicle B (lost communication805), the ISL route management capability for Vehicle A is demoted to 1,which is the ISL for route management for Vehicle A.

FIG. 9 shows dataflow for the ecosystem 800 between the vehicles605-a-d, which represent the Vehicles A-D and Platform D. In FIG. 9, thelost communications between Vehicles A and B result in missing objectiveand route transfer 905. As a result, a playbook is invoked for VehicleA, and the ISL is demoted to 1. Objective and route data 715 iscommunicated from Vehicle A to Vehicle C, and an updated route data 720is communicated from Vehicle C to Vehicle A. Position update data 725 iscommunicated from Platform D to Vehicle A as in the scenario describedabove with reference to FIGS. 6 and 7.

TABLE 3 Vehicle A Required Individual Ecosystem Safety Level SafetyLevel Required Ecosystem Capability (ISL) (ESL) Vehicle A - RouteManagement 1 5 Vehicle A - Terrain Following 1 2 Vehicle A - Navigation2 4

TABLE 4 Effect on Scenario Vehicle A Vehicle A establishes communicationwith Vehicle B. ISL Route Vehicle B has ISL = 5/ESL = 5 Route ManagementManagement capabilities (has a safe airspace volume - SAV - and promotedto 5 keep-in-algorithm - KIA - onboard). Vehicle A establishescommunication with Vehicle C. ISL Terrain Vehicle C has ISL = 4/ESL = 3Terrain Following Following capabilities (has digital terrain database -DTED - promoted to 2 available). Vehicle A establishes communicationwith Platform D. ISL Navigation Platform D has ISL = 4/ESL = 4 radarposition Promoted to 4 capabilities for navigation. Vehicle A losescommunication with Vehicle B. ISL Route Management demoted to 1,playbook invoked

Generally, the playbook concept is used to identify a tangible safety“relief valve” or “emergency procedure” that is resident on the vehiclein the event there was a degradation that results in a demotion. Theplaybook may provide for a plan such as “if this happens then do thefollowing . . . ”, and/or “if these things happen, then do the following. . . ”, based on what may be appropriate for the vehicle, scenario,and/or environment. For example, the evasive actions can range fromsimple actions for the vehicle like climbing to something moresignificant like crashing itself (i.e., for an air vehicle) or brakeson, motor off (e.g., for a ground vehicle). There could be differentplaybooks for the same scenarios in different environments (e.g.,different playbooks for sparsely populated areas verses denselypopulated areas, desert versus mountainous region, and so on). One usecase for the playbook could be that a human operator takes back controlof the vehicle and overrides the automation. In this case, the playbookresident on the vehicle is simply the override logic, and theimplementer of the playbook may have a choice.

A third use case is now described with reference to FIGS. 10 and 11 andTables 5 and 6 shown below. FIGS. 10 and 11 illustrate a network anddata flow, respectively, of two air vehicles and a ground vehicle thatmay allow for a ground vehicle with a low safety level to be promoted toa higher safety level. The safety level is promoted because members ofthe ecosystem provide unique equipment and computational algorithm(s)integral to the ecosystem for autonomous operation, but not native tothe ground vehicle.

In this third use case scenario, an ecosystem 1000 is shown in FIG. 10to include vehicles 105-a-c, which represent Vehicles A and C andPlatform B. The ecosystem 1000 may be one example of the ecosystem 100,or components thereof, described with reference to FIG. 1.

As shown in Table 1, Vehicle A has route management ISL of 3 andrequired ESL of 4, terrain and obstacle avoidance capability ISL of 0and required ESL 4, and navigation capability of ISL 2 and required ESL4. As shown in Table 6, Platform B has an ISL of 5 for route managementand an ISL of 5 for navigation capabilities, which may include groundstation with human calculated route and position monitoring. When acommunications link 610-a is established between Vehicle A and PlatformB, the ISL for route management for Vehicle A is promoted to 4 andnavigation is promoted to 4 for Vehicle A.

Vehicle C has an ISL of 4 for terrain following capabilities, which mayinclude Digital Terrain Elevation Data (DTED) and Laser Radar (LIDAR)availability. When Vehicle A establishes a communications link withVehicle C, the ISL terrain following capabilities for Vehicle A arepromoted to 4.

FIG. 11 shows the ecosystem 1000 with dataflow between the vehicles1005-a-c. Position data 1115 is provided between the Vehicle A andPlatform B, and route data is also communicated between Vehicle A andPlatform B. Continuous terrain and obstacle route data 1105 iscommunicated from Vehicle C to Vehicle A, and route and position data1110 is communicated from Vehicle A to Vehicle C.

TABLE 5 Vehicle A Required Individual Ecosystem Safety Level SafetyLevel Required Ecosystem Capability (ISL) (ESL) Vehicle A - RouteManagement 3 4 Vehicle A - Terrain and Obstacle Avoidance 0 4 VehicleA - Navigation 2 4

TABLE 6 Effect on Scenario Vehicle A Vehicle A establishescommunications with Platform B. ISL Route Platform B has ISL = 5 RouteManagement and Management Navigation capabilities (Ground station withhuman promoted to 4 calculated route and position monitoring). and ISLNavigation promoted to 4 Vehicle A establishes communications withVehicle C. ISL Terrain Vehicle C has ISL = 4 Terrain Followingcapabilities Following (has digital terrain database - DTED - and LaserRadar - promoted to 4 LIDAR - available).

FIG. 12 shows a diagram of a system 1200 including a device 1205 thatsupports dynamic accessibility compliance of a website in accordancewith aspects of the present disclosure. The device 1205 may be anexample of or include the components of device 105, or other devices asdescribed herein. The device 1205 may include components fortransmitting and receiving communications, including a security manager145, an I/O controller 1215, a transceiver 1220, an antenna 1225, memory1230, and a processor 1240. These components may be in electroniccommunication via one or more buses (e.g., bus 1245).

The security manager 145 may provide at least some of the functionalityrelated to the ecosystems 100-1000 described above with reference toFIGS. 2-11. For example, the security manager 145 may monitor the ISLand ESL for one or more vehicles and/or systems 1210 of a givenecosystem and upgrade or downgrade the security level based on a varietyof conditions, communications links, etc. The security manager 145 maymonitor communications between the vehicles/systems 1210 and device 1205or other components of the system 1200.

The I/O controller 1215 may manage input and output signals for thedevice 1205. The I/O controller 1215 may also manage peripherals notintegrated into the device 1205. In some cases, the I/O controller 1215may represent a physical connection or port to an external peripheral.In some cases, the I/O controller 1215 may utilize an operating systemsuch as iOS®, ANDROID®, MS-dOS®, MS-WINDOWS®, OS/2®, UNIX®, LINUX®, oranother known operating system. In other cases, the I/O controller 1215may represent or interact with a modem, a keyboard, a mouse, atouchscreen, or a similar device. In some cases, the I/O controller 1215may be implemented as part of a processor. In some cases, a user mayinteract with the device 1205 via the I/O controller 1215 or viahardware components controlled by the I/O controller 1215.

The transceiver 1220 may communicate bi-directionally, via one or moreantennas, wired, or wireless links as described herein. For example, thetransceiver 1220 may represent a wireless transceiver and maycommunicate bi-directionally with another wireless transceiver. Thetransceiver 1220 may also include a modem to modulate the packets andprovide the modulated packets to the antennas for transmission, and todemodulate packets received from the antennas.

In some cases, the wireless device may include a single antenna 1225.However, in some cases the device may have more than one antenna 1225,which may be capable of concurrently transmitting or receiving multiplewireless transmissions.

The memory 1230 may include RAM and ROM. The memory 1230 may storecomputer-readable, computer-executable code 1235 including instructionsthat, when executed, cause the processor to perform various functionsdescribed herein. In some cases, the memory 1230 may contain, amongother things, a BIOS which may control basic hardware or softwareoperation such as the interaction with peripheral components or devices.

The processor 1240 may include an intelligent hardware device, (e.g., ageneral-purpose processor, a DSP, a CPU, a microcontroller, an ASIC, anFPGA, a programmable logic device, a discrete gate or transistor logiccomponent, a discrete hardware component, or any combination thereof).In some cases, the processor 1240 may be configured to operate a memoryarray using a memory controller. In other cases, a memory controller maybe integrated into the processor 1240. The processor 1240 may beconfigured to execute computer-readable instructions stored in a memory(e.g., the memory 1230) to cause the device 1205 to perform variousfunctions (e.g., functions or tasks supporting dynamic accessibilitycompliance of a website).

The code 1235 may include instructions to implement aspects of thepresent disclosure, including instructions to support dynamicaccessibility compliance of a website. The code 1235 may be stored in anon-transitory computer-readable medium such as system memory or othertype of memory. In some cases, the code 1235 may not be directlyexecutable by the processor 1240 but may cause a computer (e.g., whencompiled and executed) to perform functions described herein.

FIG. 13 shows a flowchart illustrating a method 1300 method for securecommunications within a defined communications ecosystem in accordancewith aspects of the present disclosure. The ecosystem has an ecosystemsafety level (ESL), and a plurality of vehicles or systems existing inthe ecosystem. The operations of method 1300 may be implemented by adevice or its components as described herein. For example, theoperations of method 1300 may be performed by a security manager 145 asdescribed with reference to FIG. 1. In some examples, a device mayexecute a set of instructions to control the functional elements of thedevice to perform the functions described herein. Additionally oralternatively, a device may perform aspects of the functions describedherein using special-purpose hardware.

At 1305, the method 1300 includes determining whether a first individualsafety level (ISL) for a first vehicle or system in the ecosystem isequal to or greater than the ESL. At 1310, the method 1300 includesdetermining if the first ISL does not meet or exceed the ESL, andproviding a communication link between the first vehicle or system and asecond vehicle or system of the ecosystem, the second vehicle or systemhaving a second ISL, and the second ISL being equal to or greater thanthe ESL. At 1315, the method 1300 includes operating the first vehicleor system in a safe operating mode with the first ISL being at leastequal to the ESL because of the communication link between the firstvehicle or system and the second vehicle or system.

The method 1300 may further include at least periodically recalculatingthe first ISL, the second ISL and the ESL, and modifying thecommunication link if the first ISL becomes equal to or greater than theESL, or the second ISL becomes less than the ESL.

The ESL may be based on at least one of operating conditions, needs,capabilities, terrain, restrictions, and availability. The method 1300may include automatically disconnecting the communication link if theESL is lower than or equal to the first ISL. The method 1300 may includeinvoking a predetermined action for the first vehicle or system if thefirst ISL does not meet or exceed the ESL then the communication link isnot created. The method 1300 may include determining the first ISL usingat least one of health status, authority, capability, and environmentcapabilities for the ecosystem.

The health status may include at least one of communication signalstrength, built-in test results, and real-time vehicle performance.Authority may include at least one of team leader status, team memberstatus, and lost communication status. Capability may include at leastone of promotion/demotion enabled, maneuverability,sensor/payback/weapons, and energy/fuel requirements and reserves.Environment may include at least one of altitude, climate or terrain,and atmospheric conditions or weather.

It should be noted that the methods described herein describe possibleimplementations, and that the operations and the steps may be rearrangedor otherwise modified and that other implementations are possible.Furthermore, aspects from two or more of the methods may be combined.

The IMSAFE architecture may enable AI/ML algorithms to be used on costeffective UAS platforms in numerous applications that directly orindirectly improve the quality of life for the civilian and militarypopulation may create a niche in the marketplace. With IMSAFEarchitecture, it is, for example, possible to develop a singleground-based (or air and ground combination) safety-critical system tobe sold to third parties that allow them to purchase and/or develop lowcost UASs with whatever non-deterministic AI/ML algorithms meet theirbusiness needs and continually upgrade/improve their UAS fleet withouthaving to go through a lengthy and expensive certification process eachtime. IMSAFE architecture may be implement in such a way that asafety-critical system (or network of systems) can be developed thatallows customers to execute safe, autonomous flight using asubscription-based revenue model. In this case, if licensed, thecustomer's UAS can participate in the multi-level safety environment. Asubscription based model may allow for more customers since the barrierto entry for smaller delivery companies competing with larger companiesis reduced since the smaller company can purchase a subscription for asmaller fleet of custom UASs without needing capital to develop andcertify their own system that allows them to fly in the NAS.

Because of the maturity and acceptance of UAS delivery, an initialproduct offering in this market makes sense. As the Department ofDefense, for example, continues to research and implement AI/MLsolutions for UASs in the battle field that need autonomous targetingand weapons release, the IMSAFE architecture may provide a competitiveadvantage for winning future military contracts since the UAS's role inMUM-T cannot be expanded to autonomous attack operations incommunication denied environments without solving the airworthinesscertification problem. With commercial space flight solutions maturingto higher readiness levels and the introduction of, for example, theU.S. Space Force, the market for safe, low-cost unmanned vehicleoperations will likely transition into orbit at a future date.

The description set forth herein, in connection with the appendeddrawings, describes example configurations and does not represent allthe examples that may be implemented or that are within the scope of theclaims. The term “exemplary” used herein means “serving as an example,instance, or illustration,” and not “preferred” or “advantageous overother examples.” The detailed description includes specific details forthe purpose of providing an understanding of the described techniques.These techniques, however, may be practiced without these specificdetails. In some instances, well-known structures and devices are shownin block diagram form in order to avoid obscuring the concepts of thedescribed examples.

In the appended figures, similar components or features may have thesame reference label. Further, various components of the same type maybe distinguished by following the reference label by a dash and a secondlabel that distinguishes among the similar components. If just the firstreference label is used in the specification, the description isapplicable to any one of the similar components having the same firstreference label irrespective of the second reference label.

Information and signals described herein may be represented using any ofa variety of different technologies and techniques. For example, data,instructions, commands, information, signals, bits, symbols, and chipsthat may be referenced throughout the description may be represented byvoltages, currents, electromagnetic waves, magnetic fields or particles,optical fields or particles, or any combination thereof.

The various illustrative blocks and modules described in connection withthe disclosure herein may be implemented or performed with ageneral-purpose processor, a DSP, an ASIC, an FPGA or other programmablelogic device, discrete gate or transistor logic, discrete hardwarecomponents, or any combination thereof designed to perform the functionsdescribed herein. A general-purpose processor may be a microprocessor,but in the alternative, the processor may be any conventional processor,controller, microcontroller, or state machine. A processor may also beimplemented as a combination of computing devices (e.g., a combinationof a DSP and a microprocessor, multiple microprocessors, one or moremicroprocessors in conjunction with a DSP core, or any other suchconfiguration).

The functions described herein may be implemented in hardware, softwareexecuted by a processor, firmware, or any combination thereof. Ifimplemented in software executed by a processor, the functions may bestored on or transmitted over as one or more instructions or code on acomputer-readable medium. Other examples and implementations are withinthe scope of the disclosure and appended claims. For example, due to thenature of software, functions described herein may be implemented usingsoftware executed by a processor, hardware, firmware, hardwiring, orcombinations of any of these. Features implementing functions may alsobe physically located at various positions, including being distributedsuch that portions of functions are implemented at different physicallocations. Also, as used herein, including in the claims, “or” as usedin a list of items (for example, a list of items prefaced by a phrasesuch as “at least one of” or “one or more of”) indicates an inclusivelist such that, for example, a list of at least one of A, B, or C meansA or B or C or AB or AC or BC or ABC (i.e., A and B and C). Also, asused herein, the phrase “based on” shall not be construed as a referenceto a closed set of conditions. For example, an exemplary step that isdescribed as “based on condition A” may be based on both a condition Aand a condition B without departing from the scope of the presentdisclosure. In other words, as used herein, the phrase “based on” shallbe construed in the same manner as the phrase “based at least in parton.”

Computer-readable media includes both non-transitory computer storagemedia and communication media including any medium that facilitatestransfer of a computer program from one place to another. Anon-transitory storage medium may be any available medium that can beaccessed by a general purpose or special purpose computer. By way ofexample, and not limitation, non-transitory computer-readable media cancomprise RAM, ROM, electrically erasable programmable read-only memory(EEPROM), compact disk (CD) ROM or other optical disk storage, magneticdisk storage or other magnetic storage devices, or any othernon-transitory medium that can be used to carry or store desired programcode means in the form of instructions or data structures and that canbe accessed by a general-purpose or special-purpose computer, or ageneral-purpose or special-purpose processor. Also, any connection isproperly termed a computer-readable medium. For example, if the softwareis transmitted from a website, server, or other remote source using acoaxial cable, fiber optic cable, twisted pair, digital subscriber line(DSL), or wireless technologies such as infrared, radio, and microwave,then the coaxial cable, fiber optic cable, twisted pair, digitalsubscriber line (DSL), or wireless technologies such as infrared, radio,and microwave are included in the definition of medium. Disk and disc,as used herein, include CD, laser disc, optical disc, digital versatiledisc (DVD), floppy disk and Blu-ray disc where disks usually reproducedata magnetically, while discs reproduce data optically with lasers.Combinations of the above are also included within the scope ofcomputer-readable media.

The description herein is provided to enable a person skilled in the artto make or use the disclosure. Various modifications to the disclosurewill be readily apparent to those skilled in the art, and the genericprinciples defined herein may be applied to other variations withoutdeparting from the scope of the disclosure. Thus, the disclosure is notlimited to the examples and designs described herein, but is to beaccorded the broadest scope consistent with the principles and novelfeatures disclosed herein.

What is claimed is:
 1. A method for secure communications within adefined communications ecosystem, the ecosystem having an ecosystemsafety level (ESL), a plurality of vehicles or systems existing in theecosystem, the method comprising: determining whether a first individualsafety level (ISL) for a first vehicle or system in the ecosystem isequal to or greater than the ESL; if the first ISL does not meet orexceed the ESL, providing a communication link between the first vehicleor system and a second vehicle or system of the ecosystem, the secondvehicle or system having a second ISL, the second ISL being equal to orgreater than the ESL; operating the first vehicle or system in a safeoperating mode with the first ISL being at least equal to the ESLbecause of the communication link between the first vehicle or systemand the second vehicle or system.
 2. The method of claim 1, furthercomprising: at least periodically recalculating the first ISL, thesecond ISL, and the ESL; modifying the communication link if the firstISL becomes equal to or greater than the ESL, or the second ISL becomesless than the ESL.
 3. The method of claim 2, wherein: the EcosystemSafety Level (ESL) is based on at least one of operating conditions,needs, capabilities, terrain, restrictions, and availability.
 4. Themethod of claim 2, further comprising: automatically disconnecting thecommunication link if the ESL is equal to or less than the first ISL. 5.The method of claim 1, further comprising: invoking a predeterminedaction for the first vehicle or system if the first ISL does not meet orexceed the ESL and the communication link is not created.
 6. The methodof claim 1, further comprising: determining the first ISL using at leastone of health status, authority, capability, and environment.
 7. Themethod of claim 1, wherein: health status includes at least one ofcommunication signal strength, built-in-test results, and real-timevehicle performance; authority includes at least one of team leaderstatus, team member status, lost communications status; capabilityincludes at least one of promotion/demotion enabled, maneuverability,sensor/payload/weapons, and energy/fuel requirements and reserves;environment includes at least one of altitude, climate or terrain, andatmospheric conditions/weather.
 8. A communications ecosystem,comprising: an ecosystem safety level (ESL); a plurality of vehicles orsystems, each vehicle or system having an individual safety level (ISL);a control system operable to determine whether the ISL for each vehicleor system meets or exceeds the ESL; one or more communications linksbetween any first vehicle or system having a first ISL that does notmeet or exceed the ESL and a second vehicle or system with a second ISLthat does meet or exceed the ESL such that the first vehicle or systemoperates at the second ISL.
 9. The ecosystem of claim 8, furthercomprising: a human override capability that controls the one or morecommunications links.
 10. The ecosystem of claim 9, further comprising:a controller configured to determine when to create or eliminate the oneor more communications links based on a real-time status of the ESL andthe first and second ISLs.
 11. The ecosystem of claim 9, wherein: theESL and the first and second ISLs are independently variable, and theone or more communications links are automatically controlled based onreal-time comparisons of the ESL with the first and second ISLs.
 12. Theecosystem of claim 8, wherein: the first vehicle or system operatesbased on one or more predetermined conditions when disconnected from thesecond vehicle or system.
 13. A communications system, comprising: afirst ecosystem having a first ecosystem safety level (ESL); a secondecosystem having a second ESL: a first vehicle or system having a firstindividual safety level (ISL), the first ISL being less than the firstESL; a second vehicle or system having a second ISL, the second ISLbeing equal to or greater than the first ESL; a first communicationslink between the first vehicle or system and the second vehicle orsystem that promotes the first ISL to be equal to the second ISL toprovide safe operation of the first vehicle or system in the firstecosystem.
 14. The system of claim 13, further comprising: a thirdvehicle or system having a third ISL, the third ISL being equal to orgreater than the second ESL; a second communications link between thefirst vehicle or system and the third vehicle or system that promotesthe first ISL to be equal to the third ISL to provide safe operation ofthe first vehicle or system in the second ecosystem.
 15. The system ofclaim 13, wherein: the first communications link is disconnected if thefirst ISL increases to be equal to or greater than the first ESL or thesecond ISL drops below the first ESL.
 16. The system of claim 13,wherein: wherein the second communications link is disconnected if thefirst ISL increases to be equal to or greater than the second ESL or thethird ISL drops below the second ESL.